Contact us Get Quote

Java Application Security Training


Overview

The objective of this course is to provide extensive hands-on training on Java Application Security. The key highlights of this course are:

  • In-depth discussion and hands-on walkthrough of common Web Application vulnerabilities with focus on impact analysis through exploitation.
  • Special focus on Java technologies such as Applet Testing, Thick Client Testing including Java implementations of SAML, OAuth etc.
  • Introduction and usage of Java Security Frameworks and security libraries.
  • Hands-on demonstration on how to avoid and mitigate common Web Application Vulnerabilities for Java applications.

At the end of the program, participants should be able to:

  • Perform Penetration Testing of Java based Applications.
  • Reproduce vulnerabilities and demonstrate proof-of-Concept exploitation of vulnerabilities.
  • Design and architect secure Java based web applications.
  • Mitigate vulnerabilities and develop secure coding practices in their SDLC.

Target Audience

  • Developers who want to learn secure Java application development.
  • Software Testers who want to explore security aspects of application testing.
  • Designers and Architects who wants to consider and implement security best practices as a part of architecture and software development life cycle.
Contact Sales

Course Content


Note: The list below gives an overview of the topics that we can cover. Actual topic selection will be based on specific requirements and available time frame.


Introduction

  • Lab Setup
  • Burp Proxy
  • Introduction to Web Application Vulnerabilities
  • Overview of The OWASP Project

Injection Vulnerabilities

  • SQL Injection
  • LDAP, XML & OS Command Injection
  • Finding and exploiting Injection Vulnerabilities
  • Input validation techniques for JavaEE Applications
  • Prepared Statements and Stored Procedures

Cross-site Scripting

  • Finding and Exploiting XSS in Java Applications
  • Output Encoding
  • HTTP Security Headers and XSS

Cross-site Request Forgery

  • Finding and Exploiting CSRF in Java Applications
  • How to implement OWASP CSRFGuard to mitigate CSRF vulnerabilities
  • Servlet Filters and CSRF Protection
  • Additional Defenses

Authentication

  • Authentication Strategies
  • Basic/Digest Authentication
  • Form based Authentication
  • Multi-factor Authentication
  • Certificate based Authentication
  • OAuth
  • SAML
  • Using and Enforcing SSL
  • Secure Password Storage
  • Common Attacks against Authentication Systems
  • Implementing Authentication using Spring Security
  • Implementing Authentication using Apache Shiro
  • Best Practices for implementing Authentication

Authorization

  • MAC & RBAC based Access Control
  • Insecure Direct Object Reference
  • Servlet Filters and CSRF Protection
  • Authorization with Spring Security
  • Authorization with Apache Shiro

Session Management

  • Common Attacks against Session Management
  • Session Hijacking Techniques
  • Session Fixation
  • Clickjacking
  • Hardening your Java Application against session related attacks

AJAX and Web Services Testing

  • REST / SOAP based Web Service Implementations
  • XML Attacks
  • XML Injection
  • XML Entity Expansion (XXE)
  • Testing Web Services using SOAP UI
  • Web Services (JAX-RS) Security
  • REST Security

File Handling

  • Directory Traversal Attacks
  • Security guidelines for implementing File Upload and Download
  • File upload & Nginx

Client Application Testing

  • Reverse Engineering Java Applications
  • Thick Client Java Application Testing
  • Java Applet Testing
  • Flash Content Testing

Framework Security

  • Java Security Features
  • JSR 303 Validators
  • ESAPI Architecture and using ESAPI
  • Database and Web Server Security

Secure Software Development Life Cycle

  • Threat Modeling for Web Applications (STRIDE, DREAD)
  • Tools and Techniques for Static Source Code Analysis
  • Top 5 Secure Design Patterns
  • Secure SDLC Considerations

Contact Sales